@hienlh/ppm 0.13.17 → 0.13.19

package/CHANGELOG.md

@@ -1,5 +1,12 @@
 # Changelog
 
+## [0.13.19] - 2026-04-25
+
+### Fixed
+- **Windows upgrade no auto-restart**: `ppm upgrade` on Windows upgraded files but didn't restart the server — SIGUSR1 doesn't exist on Windows. Now writes command file that supervisor polls every 1s
+- **Windows path traversal rejection**: File tree lazy-loading and zip downloads failed on Windows hosts — `assertWithinProject` hardcoded `/` separator instead of `path.sep`
+- **Upload response backslash paths**: Upload endpoint returned `input\file.jpg` on Windows instead of `input/file.jpg`, breaking frontend path matching
+
 ## [0.13.17] - 2026-04-25
 
 ### Fixed

package/assets/skills/ppm/SKILL.md

@@ -71,4 +71,4 @@ This skill covers the `ppm` CLI, its HTTP API, and its config DB. It does **not*
 - Third-party extensions (inspect via `ppm ext list`).
 - The Claude Agent SDK internals (separate skill).
 
-<!-- Generated for PPM v0.13.17 at build time. Re-run `ppm export skill --install` to refresh. -->
+<!-- Generated for PPM v0.13.19 at build time. Re-run `ppm export skill --install` to refresh. -->

package/assets/skills/ppm/references/http-api.md

@@ -201,4 +201,4 @@ _Base URL: `http://localhost:8080` (default; override via `ppm config set port <
 - `ws://<host>/ws/terminal` — PTY terminal multiplexer
 - `ws://<host>/ws/extensions` — extension host channel
 
-<!-- Generated from src/server/routes/ for PPM v0.13.17 -->
+<!-- Generated from src/server/routes/ for PPM v0.13.19 -->

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@hienlh/ppm",
-  "version": "0.13.17",
+  "version": "0.13.19",
   "description": "Personal Project Manager — mobile-first web IDE with AI assistance",
   "author": "hienlh",
   "license": "MIT",

package/src/server/routes/file-download.ts

@@ -1,5 +1,5 @@
 import { Hono } from "hono";
-import { resolve, basename } from "node:path";
+import { resolve, basename, sep } from "node:path";
 import { existsSync, statSync } from "node:fs";
 import archiver from "archiver";
 import { createDownloadToken } from "../../services/download-token.service.ts";
@@ -24,7 +24,7 @@ downloadRoutes.get("/zip", async (c) => {
     if (!dirPath) return c.json(err("Missing query parameter: path"), 400);
 
     const absPath = resolve(projectPath, dirPath);
-    if (!absPath.startsWith(projectPath + "/") && absPath !== projectPath) {
+    if (!absPath.startsWith(projectPath + sep) && absPath !== projectPath) {
       return c.json(err("Access denied"), 403);
     }
     if (!existsSync(absPath)) return c.json(err("Directory not found"), 404);

package/src/server/routes/files.ts

@@ -164,7 +164,7 @@ fileRoutes.post("/upload", async (c) => {
       const absPath = resolve(absTargetDir, safeName);
       if (!absPath.startsWith(projectPath)) return c.json(err("Access denied"), 403);
       await Bun.write(absPath, file);
-      uploaded.push({ name: safeName, path: absPath.slice(projectPath.length + 1), size: file.size });
+      uploaded.push({ name: safeName, path: absPath.slice(projectPath.length + 1).split("\\").join("/"), size: file.size });
     }
 
     return c.json(ok({ uploaded }), 201);

package/src/services/file-list-index.service.ts

@@ -6,7 +6,7 @@
  */
 
 import { existsSync, readdirSync, readFileSync } from "node:fs";
-import { resolve, relative, join } from "node:path";
+import { resolve, relative, join, sep } from "node:path";
 import ignore, { type Ignore } from "ignore";
 import type { FileEntry, FileDirEntry } from "../types/project.ts";
 import { matchesGlob, resolveFilter } from "./file-filter.service.ts";
@@ -50,7 +50,7 @@ function loadGitignore(projectPath: string): Ignore {
 
 function assertWithinProject(relPath: string, projectPath: string): void {
   const abs = resolve(projectPath, relPath);
-  if (!abs.startsWith(projectPath + "/") && abs !== projectPath) {
+  if (!abs.startsWith(projectPath + sep) && abs !== projectPath) {
     throw new SecurityError("Path traversal not allowed");
   }
 }

package/src/services/supervisor.ts

@@ -940,6 +940,16 @@ export async function runSupervisor(opts: {
       else if (cmd.action === "resume") {
         if (getState() === "stopped" || getState() === "paused") triggerResume();
       }
+      else if (cmd.action === "upgrade") {
+        log("INFO", "Windows command: upgrade, starting self-replace");
+        selfReplace().then((result) => {
+          if (!result.success) {
+            log("ERROR", `Self-replace failed: ${result.error}, restarting children`);
+            spawnServer(serverArgs, logFd);
+            if (opts.share && !tunnelChild && !tunnelUrl) spawnTunnel(opts.port);
+          }
+        });
+      }
     }, 1000);
   }
 

package/src/services/upgrade.service.ts

@@ -3,7 +3,7 @@
  * detects install method, runs install command.
  */
 import { resolve } from "node:path";
-import { readFileSync } from "node:fs";
+import { readFileSync, writeFileSync } from "node:fs";
 import { VERSION } from "../version.ts";
 import { isCompiledBinary } from "./autostart-generator.ts";
 import { getPpmDir } from "./ppm-dir.ts";
@@ -99,14 +99,21 @@ export async function applyUpgrade(): Promise<{
   }
 }
 
-/** Send SIGUSR1 to supervisor to trigger self-replace after upgrade */
+/** Signal supervisor to trigger self-replace after upgrade.
+ *  Unix: SIGUSR1. Windows: command file (supervisor polls every 1s). */
 export function signalSupervisorUpgrade(): { sent: boolean; error?: string } {
   try {
     const data = JSON.parse(readFileSync(resolve(getPpmDir(), "status.json"), "utf-8"));
     const pid = data.supervisorPid;
     if (!pid) return { sent: false, error: "No supervisor PID" };
     process.kill(pid, 0); // check alive
-    process.kill(pid, "SIGUSR1");
+
+    if (process.platform === "win32") {
+      const cmdFile = resolve(getPpmDir(), ".supervisor-cmd");
+      writeFileSync(cmdFile, JSON.stringify({ action: "upgrade" }));
+    } else {
+      process.kill(pid, "SIGUSR1");
+    }
     return { sent: true };
   } catch (e) {
     return { sent: false, error: (e as Error).message };